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Qualys Indication of Compromise 


BOCHO the Next Level 


Management, Qualys, Inc. 


Adversary TTPs are Changing 


Early 2010s 
Zero-day Vulnerabilities 
(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 
(Good, Fast, Cheap - Pick 3) 
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Known Critical Vulnerabilities 
are Increasing 
6-7K vulnerabilities are Reported Vulnerabilities 
disclosed each year* 


30-40% are ranked as 
“High” or “Critical” severity 


“Mean Time to 
Weaponize” (MTTW) is 
rapidly decreasing y/y 
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Announcing: CVE-2018-12238 


Multiple Symantec Products CVE-2018-12238 Local Security Bypass 
Vulnerability 


Bugtraq ID: 105917 

CVE: CVE-2018-12238 

Remote: No Local: Yes 
Published: Nov 28 2018 12:00AM 
Credit: Qualys Malware Research Lab e) |B) 371337 


QID 371338 


Vulnerable: 

Symantec Norton AntiVirus 22.7 
Symantec Norton AntiVirus 21.0 

Symantec Norton AntiVirus 17.6.0.32 
Symantec Endpoint Protection Cloud 12.1.6 
Symantec Endpoint Protection Cloud 14 
Symantec Endpoint Protection 12.1.6 MP4 
Symantec Endpoint Protection 12.1.6 

+ 95 other products 
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Vulnerability Management Lifecycle 


Asset Vulnerability 
Inventory _— Management 
ae i Threat Risk and 
Patch Prioritization 
Management 
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Get Proactive — Reduce the Attack Surface 


Immediately Identify Vulnerabilities in Production 
Notify IT Asset Owner to Patch/Stop the Instance 
Control Network Access / Cloud Security Groups 


Change Configuration to Limit Access (Compliance) 
Add Detection and Response - Endpoint & Network 
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Proactively Hunt, Detect, and Respond 


Indication of 


Compromise a Passive Network 


Sensor 


Detect IOCs, IOAs, and 


verify Threat Intel What new devices are on the 


network? Are there new/ 
different traffic patterns? 
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Organizations Struggle to Answer Basic Questions 


Are these hashes on/running in my network? 
Are these mutexes / processes / registry keys? 


Did any endpoints connect to these IPs / Domains? 
Are there any connections to TOR exit nodes? 


What system is the first impacted? “Patient Zero” 
Did this soread to others systems? When? 
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Qualys IOC Use Cases - 
Visibility Beyond AV 


Threat Intel Verification 


Threat Intel Feeds / Mandated to Verify Find Suspicious Activity 
“Is this hash, registry, process, mutex on my 


network?” 


Hunting / 


Indicator of Activity hunting with pre-built 
and user-defined queries for Fileless attacks 


API 


Integration 


“Look Back” Investigation 
after a known breach 


find the first occurrence of a breach 


SIEM 


Detect Known/Unknown 
Malware Family Variants 


and Threat Feeds (OEM, customer) 
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Threat Intel Verification 


@ Search for the file hash 


October 6, 2017 Ne QD 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files on A ee Sonera : s PRR 
‘edith citanas foma hani cade lick Indication of Compromise Qualys Demo (quays_qd) 
Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making Hunting 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 


its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified d926e76030f19f1f7efðb3cd1a4e8ðf9 Last7 Days Y 
version of Mimikatz. 


Technical Details 2 
Total Event- 
Anti-Virus Coverage 
VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 
NO REMAINING FILTERS View related FIM Events 


TIME v OBJECT ASSET 


Delivery — MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation — MD5: 7e37ab34ecdcc3e77e24522ddfd4852d 
Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


a day ago =) svchost.exe WIN2008R2-11566 


14279270823 10.11,114.11 


swehi E  WIN7-320860-T44 


10.11.114 
Secondary Actions 


NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


@ Threat Intelligence lists attack © Find the object there. 
information ... 
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Malware Hides with Stolen Code-Signing Certificates 


welivesecurity » Grp 


Certificates stolen from 
Taiwanese tech-companies 


misused in Plead malware 
campaign 


D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly 
skilled cyberespionage group focused on East Asia, particularly Taiwan 


https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/ 
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IOC 2.0 Release (Dec 2018) 


Responses - Alerting and Actions 
Send alerts via Email, Slack, PagerDuty for any Hunting (CQQL) searches 


UI Updates 
Event Relationshio Tree / Trending Widgets / Event Group By Asset 


Threat Feed (find malware that legacy AV may have missed) 
Known Bad - 1B hashes 
CVE-to-Malware hashes (shared with Threat Protection) 


New Scoring Model 
Prioritization for Investigation and Response (confirmed vs. suspicious) 
Integration with Alerting / Actions 


IOC API 
Integrate with any 3° party SIEM / TIP 


Splunk TA + Dashboards - Jan 2019 m 
Qualys 


New IOC CVE - File Reputation Threat Feed 


Find Vulnerabilities 


Verify that 
vulnerabilities have 
been remediated 


TP 


Real-Time Indicators 
for which 
vulnerabilities have 
known / POC exploits 


Prioritize vulnerability 
remediation on 
likelihood of attack 


Threat Feed of 
malware hashes used 
in real-world 
vulnerability exploits 


Prioritize vulnerability 

remediation based on 

successful attacks in 
your network 
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Indication of Compromise 


Threat Intel Verification 
Hunting 
Alerting 
Create Emergency Patch Job from CVE Exploitation 


18fclb9b29a2d28lec931OfF9F226ad77e3cb9c558f696c37390bbac72baa8ba8 
168.63.129.16 
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Thank You 


Chris Carlson 
ccarlson@qualys.com 


